It deserves to be said that delivering a seamless and secure public Wi-Fi user experience was also possible before Passpoint and OpenRoaming. Enea has, for instance, helped mobile operators achieve this since 2010 through SIM-based authentication in our Wi-Fi Offloading solution. The difference is that this has been deployed for each operator and their subscribers, while OpenRoaming is a global initiative.
For the first time, an enterprise like a shopping mall, acting as an ANP, can roam with, e.g., several mobile operators acting as IDPs without the requirement for individual technical integrations. This, and the fact that IDPs can choose to roam only with ANPs delivering a certain level of quality of service, makes us believe that OpenRoaming may become the silver bullet for neutral host Wi-Fi Offloading. (See Figure 1 on previous page.)
The primary purpose of OpenRoaming is to simplify connecting to Wi-Fi networks while maintaining the highest levels of security and privacy. By establishing a standardized framework for seamless Wi-Fi roaming, OpenRoaming seeks to enhance the user experience, unlock new business opportunities, and drive innovation in wireless connectivity.
As discussed, one of the fundamental principles and the beauty of OpenRoaming is that access network providers, when also acting as identity providers, can roam with each other without being aware that the other party exists. Similarly, identity providers without any Wi-Fi network can authenticate and authorize their users to access Wi-Fi networks in the federation without knowing they exist.
There are five open technology standards enabling the OpenRoaming federation. Below, we will give an overview of these critical standards.
Figure 2.
Source: Enea Whitepaper: All You Need To Know About OpenRoaming Seamless and Secure Wi-Fi Everywhere
1. Passpoint
OpenRoaming is deployed as a settlement-free service for all (currently the majority) or as a settled service where individual IDPs and ANPs have a financial relation and thus exchange billing and settlement information.
Consequently, OpenRoaming offers two Passpoint Roaming Consortium Organization Identifiers (RCOIs) for accessing the service:
The OpenRoaming Passpoint RCOI is a 36-bit value. The first 24 bits are the base RCOI (settled or settlement-free service), and the last 12-bit extension (xx-xx) implements the Closed Access Group (CAG) policies described later. (See Figure 2 above.)
2. WBA-PKI Certificates
The Wireless Broadband Alliance issues certificates for Access Network Providers (ANP) and Identity Providers (IDP), coupled with their individual WBA Identity (WBAID). The certificate must be installed in the Authentication, Authorization, and Accounting (AAA) servers for both the identity provider and access network provider roles. These WBA-PKI certificates enable trust between members even if they are unaware of each other. The certificates are also a prerequisite for the secure RADIUS (RadSec) communication between the participating AAA servers.
3. RadSec
RADIUS is a networking protocol that authorizes and authenticates users accessing the OpenRoaming federation’s Wi-Fi networks. It is also used to send accounting data between the AAA servers of the ANP and IDP. RadSec is a protocol for transporting